HTTPS is no longer safe: US government is pressuring companies to provide access to secret encryption keys, according to report

Brass-Padlock_large

US government agencies are not completely satisfied with the fact that they have unhindered access to sensitive information from citizens. Apparently, they’ve also attempted — and are continually attempting — to acquire master encryption keys which would afford them access to otherwise secure material. You know, the encryption keys used to make HTTPS and SSL connections secure.

Without discussing the technology in full detail, asymmetric encryption — the type of encryption used for secure online connections such as HTTPS and SSL — is secure from prying eyes and increasingly difficult to crack due to a public-key-private-key architecture. The combination of a public key and a privacy key helps keep connections secure.

Out of the two keys, the private key is the most important because it is kept hidden and safe and is used to authenticate and ensure a connection is indeed secure. It is these private keys that US government agencies, such as the NSA and FBI, want access to from each tech company (each tech company has their own keys, because private keys differ from connection to connection). Dubbed master encryption keys, if the NSA and FBI were to be given access to the private keys, they would be able to decode internet connections as necessary and gain direct access to data. In other words, they would render HTTPS useless.

Believe it or not, encryption was never adopted to protect data and sensitive information from government agencies. Instead, it was widely adopted because of how many people use open and unsecure wireless access points. Of course, there are other underlying reasons why it was so widely adopted by many, but the fact is industry followed along these lines: Internet companies began using HTTPS/SSL encryption standards more regularly to protect users. But by protecting users, tech companies are also denying access to federal agencies, because while it is possible to crack these private keys if you have enough computing computer, cracking these keys is practically improbably due to their length and complexity… which is why HTTPS is a pillar of the web when it comes to secure transactions.

The previously undisclosed efforts by government agencies to access master encryption keys, have since been ousted thanks to recent coverage. Anonymous sources confirmed to CNET that the government has continuously attempted to obtain such keys from a wide variety of companies. The source further claims that agencies are targeting smaller companies who do not have the resources to fight such attacks:

“The government is definitely demanding SSL keys from providers.

I believe the government is beating up on the little guys. The government’s view is that anything we can think of, we can compel you to do.”

A former US Justice Department official spoke to CNET and claimed the following:

“The requests are coming because the Internet is very rapidly changing to an encrypted model. SSL has really impacted the capability of U.S. law enforcement. They’re now going to the ultimate application layer provider.”

Several requests for more information from prominent tech companies like Facebook, Google, Apple, and Verizon turned up nothing. In fact, a lot of them declined to comment on the matter when pressed. However, several documents leaked by Edward Snowden point to a possibility that the government has requested access to such tools in the past.

Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society, says that despite some of the evidence, it’s not exactly clear whether or not the government has the authority to request master encryption keys. Granick commented on whether or not they can:

“That’s an unanswered question. We don’t know whether you can be compelled to do that or not.”

Apparently the government has used subpoenas to request access to master encryption keys in the past, but sources claim they’re not sure whether or not companies would –or have- actually turned over such tools.

To quickly summarize, the possibility is definitely there, but the reality is shrouded in uncertainty. Looking at this from a logical standpoint, and considering what the government already has access to, what is truly stopping agencies and tech companies from sharing such information? If they were indeed sharing master encryption keys, would it be likely to assume that they’re never going to admit doing so? I’m not trying to incite riots or make ridiculous claims here, but come on. At this point we have to approach news without a glaze over our eyes and consider the possibility that governments (and businesses) around the world aren’t always open and honest… despite being “by the people, for the people”.

What do you think about the general situation? If you care to read more on the subject please be sure to visit the via link below. By all means, I certainly encourage you to read more at your convenience.

[via CNET, image via Wickes]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

13 comments

  1. Seamus McSeamus

    [@JonE]

    Excellent post. I recommend people do a few internet searches to see how many stories there are out there about innocent people being killed by police, wrong houses raided by police… little things like innocent until proven guilty are ignored now. The cops have been militarized, and are trained to see people as armed and dangerous, first and foremost

  2. JonE

    [@Helen Dewills] I’m pointing this at Helen because of her earlier comment, but it’s for everybody. It could fit into many of the articles/posts the past several days. While it doesn’t necessarily concerned Internet Security it is an example of how far south things have become in this country where we are as Darcy say’s supposed to be protected by unreasonable search and seizure and the freedom of speech and permitted to gather anywhere we wish as long as we do it quietly and peacfully.

    I tripped across this article today and Helen this guy had nothing to hide. The first reference I read was worded as follows: “Knock, knock.” You look out your window and standing at your front door are a dozen police officers there to hand-cuff you and whisk you off to jail.

    Your crime? You host daily prayer meetings with friends and family members at your home.

    When did this happen? I honestly don’t know; sometime several weeks ago; most of the references I found were dated between 6 – 11 July 2013. And it proceeds to tell us that, yes indeed, this actually did happen.

    Twelve Phoenix Police officers raided Michael Salman’s home earlier this month and arrested him. Twelve Police officers? To arrest one man? The prosecutor claims it has to due with zoning and permit problems. My question is, have they lowered crime so much in Phoenix that they need to go looking for things to do?

    And for his horrendous crime he received a sentence of 60 days in jail, 3 years probation (huh?), and $12,180.00 in fines.

    How did this come to light? Disgrunled neighbor(s) or an intercepted email or something like that. Don’t know. But this is how it starts. Neighbor against neighbor.

    Hey gotta watch what you say today; hate speech will get you thrown, not just in jail, but prison; not for something you did, but for something you said.

    So, when I hear someone say, “What’s the big deal!” when it concerns all of our rights and liberties, that are disappearing, I have to remind them that it could be them next.

  3. Darcy

    The way this is going, we need a constitutional amendment that will extend all the protections of the 4th amendment into the digital realm. There are good reasons why our forefathers wanted to protect the people from “unreasonable search and seizure.” The actions of the NSA, FBI, etc are well outside the spirit of the law.

    I would be all for streamlining the legal process, to help stop terrorist attacks, cybercrime, etc, but this is removing our protections entirely. Basically giving the government access to any information they want without the need for cause or due process. That’s far too much power in only one branch of the government, bypassing the system of checks and balances we have now. It would eliminate the Judicial review, required under our constitution, placing control exclusively under the administrative branch.

  4. Tom

    The govt flunkies are out to protect their jobs, and they fear that you may be talking about them and their policies behind the backs. Key access provides them another tool to confiscate and isolate your life. Totalitarian govts live in fear of freedom and liberty, and like a cornered dog, will strike out with all means possible to survive.

  5. Ashraf
    Mr. Boss

    [@Helen Dewills] In theory, there is no problem if you have nothing to hide. In practice, however, the potential for abuse is way too high.

    Plus, this can very easily turn into a slippery slope. What is next, allowing the feds to spy on us using our web cams in the name of national security? But we have nothing to hide! Would you be okay with that?

    Also, giving what is literally the keys to the internet to government agencies, who will likely create a database of said keys, is a terrible idea. Even if the government doesn’t abuse, what would happen if there was unauthorized access (foreign or domestic) to that database? Yeah…

  6. JonE

    [@Helen Dewills] I must disagree; ever hear of the KGB (Komitet Gosudarstvennoy Gezopasnosti (Committee for State Security))? Also known by many as the Russian Secret State Police. One day you get a knock on your door and there in front of you stand men in long coats; they are from the KGB and they are there to arrest you because of something you said, not something you did. There is no trial, and you are whisked off to prison where you spend many quiet, long years. And not even your family knows where you are unless there was a someone present when they arrested you. Doesn’t even matter whether you actually said what they say you said or not; you are guilty.

    Perhaps you’ve heard of a similar organization, from many years ago named The Geheime Staatspolizei (Secret State Police) better known as The Gestapo. Early on the German people had the power to do something about this, but didn’t, and because good men did nothing one of the most notorious gangs in history was born; The Gestapo. The same thing is happening in this country now. Gestapo or KGB both organizations were responsible for the imprisonment and death of many innocent human beings. If left unchecked I see the same things happening in the good old USA.

    No big deal; I most strenuously disagee. And with all the lessons history has to teach us it is very surprising that our politicians can be fooled into believing that any of this is good for our country. I could go on, but this is me shutting up.

  7. JonE

    Many in our government, the U.S. government, fought for many years to bring down the evil empire known as the USSR with it’s long reach known as the KGB. I was stationed in Germany when Ronald Reagan was instrumental in bringing down the Berlin Wall. I got to visit West Berlin just before the wall came down, but left Germany before the East once again became part of the West. Driving through East Germany was in interesting education, and meeting the very disciplined East German border guards was also very interesting; the only way I ever really wanted to meet a Russian military member, if you know what I mean. My main point is that we in this country spent years fighting against the evil empire.

    But, now it seem that this countries (United States) government has turned into the evil empire and took over where the USSR left off and we now even have our own form of the KGB too; I never saw it coming. But, ready or not, here it is.

  8. Seamus McSeamus

    [@Louis]

    I can’t speak for other Americans, but I’m not offended by your comments. I’ll be one of your backup singers. :)

    Unfortunately, most Americans today have no clue what is happening in their own country, never mind what might be going on in other parts of the world. They watch the Real Housewives and the Kardassians, and if gets much more complicated than that their head starts to hurt. You’d be surprised at how many people have no clue which country we gained our independence from, or the year in which it happened. The government-run educational system has been reduced to the lowest common denominator and no longer encourages excellence, but mediocrity.

    We are no longer a nation of people made of the stuff needed to draw lines in the sand. Most are unaware that a line even needs to be drawn.

  9. Louis

    Added to which : This is now moving beyond violating the rights of US citizens, to the rest of us as well.

    So if the USA Tech Corporations, or any hassled by the ‘security agencies, relocate / reincorporate in another country’s jurisdiction, that should theoretically put them out of the (legal) reach of these agencies.

    Think what that would do to the mighty US e-commerce industry ! Google is already starting to operate in Ireland in a big way. For example.

    Whatever happened to the fighting traditions of Americans against exploitation, all the way from slavery, factories exploiting the poor, governments drafting people against their will, etc etc ?

    Perhaps it’s time the American people draw another line in the sand. History has shown that Corporate America does really run the show behind the scenes. So threaten to hurt Corporate America in a huge and real way, and they will take care of their government, being really the government ‘by corporations, for corporations’. No-one is fooled by the political posturing to pretend otherwise, I’m sure

    The rest of us will applaud and support you.

    I’m not American, so if I offended anyone, my apologies. Of course, much worse happens elsewhere. It just seems that the model of democracy that the US Gov had always represented to the world, has somehow, one could say almost overnight, disappeared in a cloud of smoke and mirrors.

    Secret Court……. indeed !

  10. Anonymail

    Doesn’t sound like an exaggeration at all Ashraf!
    There would be no coming back from that.
    I would not be able to do business online period. I guess then the web would be for social things only. No more banking, amazon, book buying, anything. Makes no sense to me why they even need the master keys. Preppers might be on to something!

  11. Ashraf
    Mr. Boss

    HTTPS is the foundation of the secure web, not just for things like surfing Facebook or your email but for eCommerce and other transactions. If HTTPS is no longer secure, than the internet as a medium breaks down. That may sound like exaggeration but it isn’t. Think about it. Would you purchase something from Amazon if you knew your credit card information wasn’t safe? Yeah, I wouldn’t.